Problem with OpenSSH 2.3.0p1/2.5.1p1 and AIX

Frank Crawford Frank.Crawford at ac3.com.au
Thu Feb 22 15:39:24 EST 2001


We have come across a problem with OpenSSH 2.3.0p1 (and still in
2.5.1p1) which affect authentication on an AIX 4.3 system.

The code in auth-passwd.c at line 168 reads:

#ifdef WITH_AIXAUTHENTICATE
 return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
#endif

however, the AIX manual page for "authenticate" states:


"The authenticate subroutine maintains requirements users must satisfy to be
authenticated to the system. It is a recallable interface that prompts for the
user's name and password. The user must supply a character string at the prompt
issued by the Message parameter. The Response parameter returns the user's
response to the authenticate subroutine. The calling program makes no
assumptions about the number of prompt messages the user must satisfy for
authentication.

The Reenter parameter remains a nonzero value until the user satisfies all
prompt messages or answers incorrectly. Once the Reenter parameter is zero, the
return code signals whether authentication passed or failed."

And in our setup locally we have multiple authentication methods, which
require authenticate to possibly loop multiple times.  What makes it
even more of a security problem is the first time around, "authenticate"
returns 0 (but with reenter set to 1) for any password.

The entry we have in /etc/security/user is:

demo:
    admin=false
    auth1=k4init
    SYSTEM="NONE"

An obvious simple fix is to put the block in a loop, which reenter is
non-zero, but on a quick test we did, that seemed to still fail.  We are
currently looking into why this failed, but decided to also report the
problem now, due to the security risk.

Frank Crawford

--
ac3
Suite G16, Bay 7, Locomotive Workshop   Phone:  02 9209 4600
Australian Technology Park              Fax:    02 9209 4611
Eveleigh   NSW   1430







More information about the openssh-unix-dev mailing list